a3528d1769254239abf14c2a3271ba710a91d23cadfbce619fba6d99495ede91

Analysis

max time kernel
144s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
Size

2.9MB
MD5

2a41b8df5b88e7e57ad356486e45ae11
SHA1

79c84e0684aefc93c039b7405dbcb3650bc1c0ce
SHA256

a3528d1769254239abf14c2a3271ba710a91d23cadfbce619fba6d99495ede91
SHA512

2b96ea703dea11564816d3067872c7c5ac7c8d692d0b2931e446ab3d2716a48ea90dce65865abc76252bb4ba827b68061ef270b5f4443e7313a74b20d824989f
SSDEEP

49152:lnqLvvJ9Fod/OpY1Jf+YvoVkXrYErnuKlAhUpd01RMEEWIjf5EfdNQmvLc1UGn:ZqjTyop1CrYsuKlAhUpCMEEFjf5YLzjC

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 4 IoCs

pid	Process
2200	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
2200	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
2200	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
1232	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MultipleSearchReplaceShellExt.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Windows\system32\MultipleSearchReplaceShellExt.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\Uninstall.exe	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\MultipleSearchReplace.chm	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\regexp.txt	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\itextsharp.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\4dots Software Product CATALOG.url	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\license_agreement.rtf	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\replace2.ico	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\settings.xml	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\MultipleSearchReplace.exe	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\ICSharpCode.SharpZipLib.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\QuitOfficeApplications.exe	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\4dotsLanguageDownloader.exe	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\PdfSharp.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\unrar.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\ddb.dat	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\MultipleSearchReplace\ = "{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8D123B0D-E6B3-4EA2-A47A-A526FD6D0373}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8D123B0D-E6B3-4EA2-A47A-A526FD6D0373}\ = "MultipleSearchReplaceExt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MultipleSearchReplaceExt.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\MultipleSearchReplace\ = "{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\MultipleSearchReplace	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\MultipleSearchReplace	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MultipleSearchReplaceExt.DLL\AppID = "{8D123B0D-E6B3-4EA2-A47A-A526FD6D0373}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\ = "MultipleSearchReplaceShellExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\InprocServer32\ = "C:\\Windows\\system32\\MultipleSearchReplaceShellExt.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
4052	msedge.exe
4052	msedge.exe
2156	identity_helper.exe
2156	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1232	2200	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	86
PID 2200 wrote to memory of 1232	2200	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	86
PID 2200 wrote to memory of 4052	2200	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	90
PID 2200 wrote to memory of 4052	2200	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	90
PID 4052 wrote to memory of 2976	4052	msedge.exe	91
PID 4052 wrote to memory of 2976	4052	msedge.exe	91
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4440	4052	msedge.exe	92
PID 4052 wrote to memory of 4456	4052	msedge.exe	93
PID 4052 wrote to memory of 4456	4052	msedge.exe	93
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94
PID 4052 wrote to memory of 616	4052	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MultipleSearchReplaceShellExt.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4dots-software.com/multiple-search-replace/?afterinstall=true&version=5.5
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1ad246f8,0x7ffd1ad24708,0x7ffd1ad24718
    3⤵
    PID:2976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
    3⤵
    PID:4440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
    3⤵
    PID:616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
    3⤵
    PID:1124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
    3⤵
    PID:2448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:2184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
    3⤵
    PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\4dots Software\Multiple Search and Replace\MultipleSearchReplace.exe

Filesize
958KB

MD5
52b67d8b4b8d6c1cf8035b88a7f1b3cc

SHA1
43ffd2bb7ff726b829e040b0f65e3aea08f1ed90

SHA256
fe66807a5bb7449d8081befd70c58a3ffb85ad70fd05803578c5524c51659f08

SHA512
04e2f5c9619d8329038028194b91ac5c55e530869380b27e01f0db812d22d9939d2db8f0a374d679bbae0a0adcfff5f9da86bffcdfe469053b3685d8970d14c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
1e39b9ae0fe45cd48f8abb9c0998ffbc

SHA1
c30b62cee4b7af1b84263a531d5e73acb0a21874

SHA256
e7bd2181ff10eacae4eaaa66c217b22409bff14e0a7b89dfbeec8ba0c73dadfb

SHA512
755f1bb9ed28bccd6823c42a68235941afe274c8703137907a529a33e3c5dc9d3f02c675364dfcbf85c55bb494150aa4eb3f9f3cbcb7bd6bd248bbc36aff7328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
791B

MD5
d70d09e415587ef2394a5471420d7ebf

SHA1
c566248b4f3f26bea24038b3d4da0176d1a2cf72

SHA256
840d2cddff0bc9fca2c21fbd313f0b1cf7fc22713a30bc34f842934c7f170cf7

SHA512
9ab52b92f53f139ea353f4a1d1aebd52ace1d64b75a5d2d25fd96c865c231f23b4898e86128e4688ea4ad53102aa8807174fee2eb5e2318cf0e0980db55d524e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bef4ad931ac5c6beb59a4cc8332eec69

SHA1
635903f62fac520d2746c4e6c8b7a101b850ca56

SHA256
b4ce0ed5c03330398ae362c375b13d9e047d3e050aaebb27f37c50852ff34c59

SHA512
288eb90fbdb13374a0f30f97dd5d8e8714dcd0d69914d3fb448e8243b288d6e497840b79f79e29d362458362f7a94f51921e9aa3c46f54ed93c1819566c3d133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b485c1b4f32c0dc86c54679936fc432b

SHA1
0ad33a057b436630e5126db583cdfab7bdcfb2d9

SHA256
912187e98fb97133f5cf24936d01c35008eb602ea7e710a70f5f6b0a75b88c65

SHA512
6035f929ce9b8a26e29503318819bfa2284ffbd0135d60a6523f9916e172947bf8e417fff62f2d12a8e0da8b87cf8ba22f752e410f7196c0df26658c0b3e8e0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
07a2faaec7414ac27814f057086eb5d3

SHA1
d0acf4cfc9271845efd33594cf5993dc7c7f558d

SHA256
618af14f6b82efa84f438eb239308a69e9219866218913aa6e39f58bd5f38c2c

SHA512
ba66edb7512424877d950dc39b6cffaf68fb303a8e005b7052f2906985b368790e9d54e7a10dc8e19ea34a0db3c9d9df0386675950dfe24efbcbb436c85c4b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\NSISAdditionalActionsPage.ini

Filesize
652B

MD5
fc0ba3a0e1253b333ea6800fd4232f99

SHA1
7f2daa9a6167b890a32ee15e28ef025a62a3b5ac

SHA256
0268497d9e082eff583dbba0b68251857d8585b28833edeaf844ddd17f2175ee

SHA512
b98fdda2e63b96443899e379a43151d8c6e1baff63a33c8e99deb2c63d358e8e17d36ef8e454b0a23c7149b9a0cdcd0cecea80ca4783153a740d2a58bedc9a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\NSISAdditionalActionsPage.ini

Filesize
578B

MD5
7b9b7c8a97c1afdd562bd9cfa82c2be6

SHA1
cf1a6d6c630d2a80a94f40ad1cc617e16c3aad5c

SHA256
0654e9d3880d9ff6b693b4ba1ce531cb81e2c0039e9d5ec9daf2531d313f3ba1

SHA512
2afada6aaf33cf78140f666a2a17fa706bea73df2406ccf7767fc3345ba6ed61cc60b4c300313569bdaad0f7ed2767d9b2e9193864dfaa52bc6991c8a4d268d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\nsDialogs.dll

Filesize
9KB

MD5
eac1c3707970fe7c71b2d760c34763fa

SHA1
f275e659ad7798994361f6ccb1481050aba30ff8

SHA256
062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3

SHA512
3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09

Download Submit
C:\Windows\system32\MultipleSearchReplaceShellExt.dll

Filesize
33KB

MD5
ace9f19e19a07de0fe7e0f1e858a523c

SHA1
898c63c2f9c32d1148f8618a6f9dee89984a8f9d

SHA256
7e79de7c3ef68b615e86a732597a8022de71a14d81be4b4978db39a67cfc3d57

SHA512
a2e32fe5c3652824572f8f1a9a7b145e1c17cb6fbffa52903cffa548f450df89d996b933f95726bb514dfaa16c7d9b2ffa1caedf6ccbf6f1a577b48b0b052ebb

Download Submit